Colorado Governor Jared Polis signed the Colorado Privacy Act (the “CPA”) into law on July 8, 2021, making Colorado the third state (after California and Virginia) to pass a comprehensive privacy law to protect its residents. The CPA will go into effect on July 1, 2023.
The CPA will apply to legal entities conducting business in Colorado or delivering products or services targeted to Colorado residents that either (1) control or process the personal data of 100,000 or more consumers during a year, or (2) control or process the personal data of 25,000 or more consumers and derive revenue or receive a discount on the price of goods or services from the sale of personal data. There is no applicable revenue threshold. “Consumers” are defined in the CPA to include Colorado residents acting in their individual or household contexts. The CPA excludes individuals acting in a commercial or employment context, job applicants, and beneficiaries of someone acting in an employment context from its definition of “consumer.” “Personal data” under the CPA is defined to mean “information that is linked or reasonably linkable to an identified or identifiable individual.” The CPA’s requirements will not extend to de-identified data or publicly available information.
Following are the compliance requirements for CPA:
Consumer Personal Data Rights
A) Request Submitting Methods
The methods for submitting requests do not have to be specific to Colorado if they:
Clearly indicate that the rights are available to Colorado consumers
Provide all data rights to Colorado consumers
Provide Colorado consumers with a clear understanding of how to exercise their rights
Comply with the draft rule’s general notice requirements
B) Opt-Out Requests (Including Opt-Out Link)
Upon receiving an opt-out request, controllers must cease processing the personal data for the opt-out purpose(s) within fifteen days.
A controller must provide an opt-out method “either directly or through a link, clearly and conspicuously in its privacy notice as well as in a clear, conspicuous, and readily accessible location outside the privacy notice.”
If a controller uses a link, the link must take a consumer directly to the opt-out method and the link text must provide a clear understanding of its purpose.
C) Right of Access
Controllers must provide data “in a form that is concise, transparent and easily intelligible, and avoids incomprehensible or unexplained internal identifiers or codes” as a response to access requests.
Controllers must inform the consumer that they have collected information that could create security breaches, that is, government-issued identification numbers, financial account numbers, health insurance or medical identification numbers, an account password, security questions and answers, or biometric data.
D) Right to Correction
Controllers must correct the personal data across all data flows and repositories and implement measures to ensure that the personal data remains corrected.
Controllers also must instruct processors to correct the personal data in their systems.
E) Right to Deletion
Controllers do not have to delete personal data stored on backup systems until that system is restored or is accessed for a sale, disclosure, or commercial purpose.
Controllers that deny a request to delete based on an exception must:
Delete any personal data not subject to the exception.
Provide the consumer with a list of the personal data that was not deleted along with the applicable exception.
Not use the personal data for any other purpose.
The draft rules also add on the data broker deletion exception.
Specifically, controllers that obtain data from sources other than directly from the consumer may comply with a deletion request by either (i) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the personal data remains deleted from the consumer’s records and not using such retained data for any other purpose, or (ii) opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant to the provisions of C.R.S. § 6–1–1304.
F) Right to Data Portability
Controllers will not be required to provide personal data that discloses a controller’s trade secrets when responding to a portability request
G) Authentication
Controllers must establish “reasonable methods” to authenticate requests considering the right exercised, the type, sensitivity, value and volume of the personal data and the level of possible harm that could come from improper use or access.
H) Responding to Requests
If a controller denies a request, it needs to provide a detailed explanation for its decision, including (as applicable): (a) any conflict with federal or state law, (b) the relevant exception to the CPA, © the controller’s inability to authenticate the consumer’s identity, (d) any factual basis for a controller’s good-faith claim that compliance is impossible, or (e) any good-faith, documented belief that the request is fraudulent or abusive.
Universal Opt-Out Mechanism (UOOM)
The purpose of UOOMs is to provide consumers with a simple and easy-to-use method by which they can automatically exercise their opt-out rights with all controllers they interact with without having to make individualized requests with each controller.
By April 1, 2024, the Office will be required to maintain a public list of UOOMs.
Duties of Controllers
A) Privacy Notices
Controllers need not provide a separate Colorado-specific privacy notice or section of a privacy notice if the privacy notice contains all information required by the rules and “makes clear” that Colorado residents are entitled to the rights provided in section 1306 of the CPA. Notices must be posted online using the word “privacy.”
Controllers must describe each processing purpose “in a level of detail that gives Consumers a meaningful understanding of how their Personal Data is used and why their Personal Data is necessary for the Processing purpose.”
For each processing purpose, the notice must provide: (a) The categories of personal data processed. (b) The categories of personal data that the controllers sell to or shared with third parties, if any. © The categories of third parties to whom the controller sells, or with whom the controller shares personal data, if any.
B) Changes to the Privacy Notice
Controllers must notify consumers of “substantive or material changes to a privacy notice” including changes to: (a) Categories of personal data processed. (b) Processing purposes. © Controller’s identity. (d) Methods by which consumers can exercise their rights.
Changes must be made fifteen days prior to when they will go into effect.
C) Loyalty Programs
“Bona fide loyalty program” is defined as “a loyalty, rewards, premium feature, discount, or club card program established for the genuine purpose of providing discounts, rewards, or other actual value to Consumers that voluntarily participate in that program.”
“Bona fide loyalty program benefit” is defined as “an offer of superior price, rate, level, quality, or selection of goods or services provided to a Consumer through a Bona Fide Loyalty Program.”
Controllers that provide bona fide loyalty programs must provide a number of disclosures, including: (a) Categories of personal data collected through the program that will be sold or processed for targeted advertising, if any. (b) Categories of third parties that will receive the consumer’s personal data, including whether personal data will be provided to data brokers. © The value of the bona fide loyalty program benefits available to the consumer if the consumer opts out of the sale of personal data or processing of personal data for targeted advertising and the value of the bona fide loyalty program benefits available to the consumer if they do not opt out. (d) List of program benefits that require the processing of personal data for sale or targeted advertising and the third party receiving the personal data and providing each such program benefit, if applicable.
D) Purpose Specification
Controllers are required to specify the “express purpose” for the processing of personal data in both external disclosures to consumers and internal documentation.
If personal data is processed for multiple purposes, each purpose must be detailed.
E) Data Minimization
The rules suggest that controllers must create and enforce document retention schedules, stating that to ensure personal data “are not kept longer than necessary, adequate, or relevant, Controllers shall set specific time limits for erasure or to conduct a periodic review.”
Further, any personal data “determined no longer to be necessary, adequate or relevant to the express Processing purpose(s) shall be deleted by the Controller and any Processors.”
Controllers also must review the retention of biometric identifiers annually.
F) Secondary Use
Controllers must obtain consumer consent before processing personal data for a purpose that is not reasonably necessary or compatible with the purpose disclosed at the time of collection.
G) Duty Regarding Sensitive Data
The rules create a new category of sensitive data called “Sensitive Data Inferences” defined as “inferences made by a Controller based on Personal Data, alone or in combination with other data, which indicate an individual’s racial or ethnic origin; religious beliefs; mental or physical health condition or diagnosis; sex life or sexual orientation; or citizenship or citizenship status.”
Controllers can process such inferences without user consent under limited circumstances, including that the inferences be deleted within 12 hours of collection.
Consent
The CPA will require controllers to obtain consumer consent for the processing of sensitive data.
Consent must be: (a) Obtained through the consumer’s clear, affirmative action (b) Freely given © Specific (d) Informed (e) Reflect the consumer’s unambiguous agreement
The rules also clarify that consent can be withdrawn, which is not specifically stated in the CPA.
The CPA draft rules provide a significant discussion of dark patterns. The rules provide that controllers are prohibited from using “an interface design or choice architecture that has the substantial effect of subverting or impairing user autonomy, decision making or choice, or unfairly, fraudulently, or deceptively manipulating or coercing a Consumer into providing Consent.” The rules go on to specify the contours of what constitutes a dark pattern.
Data Protection Assessments
The CPA requires that controllers perform data protection assessments for processing activities that create a heightened risk of harm to consumers, including selling data, processing sensitive data, and engaging in certain types of profiling activities.
Data protection assessments must be “a genuine, thoughtful analysis.”
The assessment must involve “all relevant actors from across the Controller’s organizational structure, and where needed, relevant external parties.”
The assessment must “at a minimum” describe eighteen different topics identified in the rule, including the processing activity, the purpose of the processing activity, the types of personal data processed, names and categories of third-party recipients, consumer expectations, and risks to consumers.
Assessments are required to be completed before initiating a processing activity, must be reviewed periodically, and must be turned over to the Attorney General within 30 days of request.
Profiling
Controllers that engage in profiling subject to the CPA’s opt-out right are required to provide additional information in their privacy notice regarding the profiling activity, including what decision is subject to profiling, a “plain language explanation of the logic used in the Profiling process” and why profiling is relevant to the ultimate decision.
The rules also distinguish between profiling based on: (a) Solely automated processing (b) Human reviewed automated profiling © Human involved automated processing